Hello,
If you are receiving the event in /var/ossec/logs/archives/archives.log but no alert is triggered, it may be that there is no specific decoder or rule for those events and you will have to create custom ones. Could you share with me the events you are receiving in archives.log?
|
|
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/61c1f63d-e75e-4828-bdd9-c97a55b45246n%40googlegroups.com.
Hello,
If you can’t share with me the archives.log log, you can test it yourself using wazuh-logtest. To do this, you will need to take the log from archives.log, remove the header from it and insert it into wazuh-logtest. That is, if our log is:
2022 Jun 21 15:27:42 NoName->/tmp/test.log Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox
The log we should test is:
Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox
To test it, we run /var/ossec/bin/wazuh-logtest and enter the log:
[root@localhost vagrant]# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.3.0
Type one log per line
Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox
**Phase 1: Completed pre-decoding.
full event: 'Jun 14 12:00:29 NoName login failure for user admin from 192.168.0.204 via winbox'
timestamp: 'Jun 14 12:00:29'
hostname: 'NoName'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
id: '2501'
level: '5
description: 'syslog: User authentication failure.'
groups: '['syslog', 'access_control', 'authentication_failed']'
firedtimes: '4'
gdpr: '['IV_35.7.7.d', 'IV_32.2']''
gpg13: '['7.8']''
hipaa: '['164.312.b']''
mail: 'True'
nist_800_53: '['AU.14', 'AC.7']''
pci_dss: '['10.2.4', '10.2.5']''
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']''
**Alert to be generated.
This way we can see if the event is being decoded correctly, what information is being extracted and if an alert should be triggered.
You can see more info about wazuh-logtest here.